Layer7 API Management

  • Private Community
 View Only

  • 1.  dropping websocket by policy

    Posted Mar 15, 2018 06:22 AM

    Hi Team.

    is it possible to drop a websocket Connection from within an Inbound policy ?

    Scenario is the following:

    • WS Client is opening websocket through apigw
    • WS Client is sending authorization Information (token) through its first message through websocket
    • Inbound policy needs to check provided Information against IDP and might drop the Connection if check Fails.

     

    How to achieve this scenario,

    If we are not able to drop the connection, than we would need to remember that this connection is authenticated, because the tolken is not part of any further Messages sent through this WS channel.

    Any idea?

    Thanks for thoughts and help.

     

    Kind regards

    ...........Michael



  • 2.  Re: dropping websocket by policy

    Posted Mar 19, 2018 10:18 AM

    Hi, Michael.

     

    Customize Error Response assertion can be configured to drop the connection :

    Error Level

    Select the response to use for an error:

    • Template Response: The assertion will return the response in the Response Body.
    • Drop Connection: The connection is simply dropped, with no response ("stealth" mode).

    Customize Error Response Assertion - CA API Gateway - 9.2 - CA Technologies Documentation 

     

    Another option is to use Return Template Response to Request. It also has the option to drop the connection:

     

    Send Response immediately

    Select this check box to send the template response message immediately, with or without a payload. The transmission of a payload depends on the status code (for example, a '204 (No Content) response status indicates to skip payload transmission).

    Clear this check box to send the template response at the completion of the policy.

    WARNING: Do not enable this option for most common use cases. Doing so closes the connection immediately and disables keep-alive, causing significant performance degradation. Additionally, the Gateway will apply no WS-Security decoration to the response message.

     

    Return Template Response to Requestor Assertion - CA API Gateway - 9.2 - CA Technologies Documentation 



  • 3.  Re: dropping websocket by policy

    Posted Mar 19, 2018 10:36 AM

    Hi Leandro.

    This seems to be exactly, what I was looking for.

    Too bad I didn't recognize this assertion by my own.

    Thanks a ton  for this hint. I will give it a try and let you know.

    Best regards

    ...............Michael



  • 4.  Re: dropping websocket by policy

    Posted Mar 19, 2018 01:17 PM

    Hi Leandro.

    I did a short test and it seems that this assertion does not drop the websocket connection from within an inbound policy as exepcted. It seems not to be feasible for this approach.

    Thanks anyway

    ............Michael



  • 5.  Re: dropping websocket by policy
    Best Answer

    Posted Mar 20, 2018 03:34 PM

    Hi Michael, 

    I'm not expert on websockets but doing some research, the protocol demands an exchange to interpret the close connection command.

    RFC 6455 - The WebSocket Protocol 

     

    Probably, when we use the assertions to drop the connection, it drops the TCP connection but the client doesn't recognize it.



  • 6.  Re: dropping websocket by policy

    Posted Mar 28, 2018 06:56 AM

    Hi Leandro.

    finally I did a retest with a different JavaScript based simple websocket Client. It reveals that the websocket gets dropped, when dropping the connection  with the "Customize Error Response Assertion".

    Thanks a lot and best regards

    ............Michael